> > I've a sample aklog program (key submission) should you be interested.
> 
> I'd be intereseted.  BTW, I just took a brief look and had a quick
> question.

Please see attached files.

	key_afs.c	Rudimentary kAFS filesystem token handling
	afsutil.h	}
	kernel.c	} aklog program
	aklog.c		}

> > +	if (bprm->e_uid != current->uid)
> > +		suid_keys(current);
> > +	exec_keys(current);
> > +
> 
> would the security module be expected update/revoke keys if the thing changes
> security domains on exec?

I don't know. Currently this patch replaces the old session keyring in favour
of a new empty one upon SUID exec. I suspect that depends on the policy set by
the administrator.

If you've a better suggestion than what I've done, feel free to make it.

> >  	task_lock(current);
> >  	unsafe = unsafe_exec(current);
> >  	security_bprm_apply_creds(bprm, unsafe);

David